[Opendnssec-develop] DelegationSignerSubmitCommand
Rickard Bellgrim
rickard.bellgrim at iis.se
Thu Dec 9 10:15:09 UTC 2010
On 8 dec 2010, at 11.14, Sion Lloyd wrote:
>> The rollover procedures are still quite a mess. Could you perhaps propose
>> how we should do this in a clean way, so that the
>> DelegationSignerSubmitCommand also function as intended?
>>
>
> The only way I can think to make this clean is to force a pure rollover scheme
> on the user... This would mean disabling the no-retire flag and having the
> dssub command only send the new key.
>
> Is this too draconian and restrictive though? Keep in mind that this might be
> the only KSK rollover scheme available for the next two releases...
What do you Jakob say about this?
> Is it too late in the release to introduce a new flag or rollover option
> "strict" which forces this behaviour? (I think so, but will work on this if we
> think it is really needed.)
Yeah, new feature is too late. And another flag will confuse it even more.
> We could document the current situation and fix this either after the release
> in 1.2 or for 1.3 (which I believe will not have the new enforcer code)?
Ok, yes. The option is to fix this in 1.2 or 1.3. Do we have any comments on this?
// Rickard
More information about the Opendnssec-develop
mailing list